Add Terraform V4 Support (and Graviton) (#53)

* Upgrading to Terraform Provider V4

Author: petewilcock

.github/workflows/testsuite-master.yaml

@@ -13,7 +13,7 @@ jobs:
       - name: setup Terraform
         uses: hashicorp/[email protected]
         with:
-          terraform_version: 0.15.5
+          terraform_version: 1.1.7
       - name: Terraform init
         run: terraform init --backend=false
       - name: tflint
@@ -31,7 +31,7 @@ jobs:
       - name: setup Terraform
         uses: hashicorp/[email protected]
         with:
-          terraform_version: 0.15.5
+          terraform_version: 1.1.7
       - name: Terraform init
         run: terraform init --backend=false
       - name: tfsec
@@ -46,10 +46,10 @@ jobs:
     steps:
       - uses: actions/[email protected]
       - name: misspell
-        uses: reviewdog/action-misspell@v1
+        uses: reviewdog/action-misspell@v1.11.0
         with:
           github_token: ${{ secrets.ACTIONS_TOKEN }}
-          locale: "US"
+          locale: "UK"
           reporter: github-check
           filter_mode: added
           level: error

.github/workflows/testsuite.yaml

@@ -40,7 +40,7 @@ jobs:
       - name: setup Terraform
         uses: hashicorp/[email protected]
         with:
-          terraform_version: 0.15.5
+          terraform_version: 1.1.7
       - name: Terraform init
         run: terraform init --backend=false
       - name: tflint
@@ -58,7 +58,7 @@ jobs:
       - name: setup Terraform
         uses: hashicorp/[email protected]
         with:
-          terraform_version: 0.15.5
+          terraform_version: 1.1.7
       - name: Terraform init
         run: terraform init --backend=false
       - name: tfsec
@@ -73,10 +73,10 @@ jobs:
     steps:
       - uses: actions/[email protected]
       - name: misspell
-        uses: reviewdog/action-misspell@v1
+        uses: reviewdog/action-misspell@v1.11.0
         with:
           github_token: ${{ secrets.ACTIONS_TOKEN }}
-          locale: "US"
+          locale: "UK"
           reporter: github-pr-check
           filter_mode: added
           level: error

.header.md

@@ -47,11 +47,11 @@ As such you should include the following in your provider configuration:
 
 ```
 terraform {
-  required_version = "> 0.15.1"
+  required_version = "> 1.0"
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = "~> 3.0"
+      version               = "~> 4.0"
       configuration_aliases = [aws.ue1]
     }
   }
@@ -66,6 +66,9 @@ provider "aws" {
 
 The `ue1` alias is essential for this module to work correctly.
 
+## Severless Static Wordpress V2 Upgrade Guide
+See [UPGRADING](docs/UPGRADING.md) for Version 2 upgrade guidance, including for Version 4 of the AWS Terraform Provider.
+
 ## Module instantiation example
 
 ```

.pre-commit-config.yaml

@@ -33,7 +33,7 @@ repos:
         args: ["--output-file", "README.md", "markdown", "modules/waf"]
         pass_filenames: false
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.31.0
+    rev: v1.64.0
     hooks:
       - id: terraform_fmt
       - id: terraform_tflint

CHANGELOG.md

@@ -1,16 +1,35 @@
 # Changelog
 
+## 0.2.0 - UNRELEASED
+
+! BREAKING CHANGES ! - See [UPGRADING.md](docs/UPGRADING.md) for guidance on upgrading from v0.1.x
+
+ ### **Maintenance**:
+
+ - Module upgraded to AWS Terraform v4. Existing installations will need Terraform state moved for forwards
+compatibility.
+
+### **New Features**
+- Added support for Graviton-based CodeBuild if supported in deployment region. Will gracefully fallback to
+non-Graviton if not supported.
+- Added support for Graviton-based ECS Fargate if supported in deployment region. Will fallback to non-Graviton
+if not supported, however source docker image used for ECS container MUST be AMD64/ARM64 architecture respectively.
+Note FARGATE_SPOT is not supported for Graviton-based ECS at this time.
+- Added healthCheeck block to ECS Task Definition.
+- Added EventBridge monitoring for ECS Service Action events (which captures placement failures when using FARGATE_SPOT
+ capacity provider)
+
 ## 0.1.2 - 23rd June 2021
 
-Bugfix: Changed special characters used in RDS password generation to ensure compatibility.
-Docs: Updated to fix typos in helper commands, and detailed supported RDS Aurora v1 regions.
+- **Bugfix**: Changed special characters used in RDS password generation to ensure compatibility.
+- **Docs**: Updated to fix typos in helper commands, and detailed supported RDS Aurora v1 regions.
 
 ## 0.1.1 - 19th June 2021
 
-Bugfix: Refactor md5 calculation on archive_file in codebuild child module.
-Bugfix: Re-typed AWS account number as string to avoid rounding on account numbers prepended with zeros.
-Bugfix: Fix passed WAF variable values if set to inactive.
+- **Bugfix**: Refactor md5 calculation on archive_file in codebuild child module.
+- **Bugfix**: Re-typed AWS account number as string to avoid rounding on account numbers prepended with zeros.
+-- **Bugfix**: Fix passed WAF variable values if set to inactive.
 
 ## 0.1.0 - 19th June 2021
 
-Initial release of Serverless Static Wordpress Terraform module.
+- Initial release of Serverless Static Wordpress Terraform module.

README.md

@@ -48,11 +48,11 @@ As such you should include the following in your provider configuration:
 
 ```
 terraform {
-  required_version = "> 0.15.1"
+  required_version = "> 1.0"
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = "~> 3.0"
+      version               = "~> 4.0"
       configuration_aliases = [aws.ue1]
     }
   }
@@ -67,6 +67,9 @@ provider "aws" {
 
 The `ue1` alias is essential for this module to work correctly.
 
+## Severless Static Wordpress V2 Upgrade Guide
+See [UPGRADING](docs/UPGRADING.md) for Version 2 upgrade guidance, including for Version 4 of the AWS Terraform Provider.
+
 ## Module instantiation example
 
 ```
@@ -229,6 +232,8 @@ For any issues relating to this module, [raise an issue against this repo.](http
 | <a name="input_cloudfront_class"></a> [cloudfront\_class](#input\_cloudfront\_class) | The [price class](https://aws.amazon.com/cloudfront/pricing/) for the distribution. One of: PriceClass\_All, PriceClass\_200, PriceClass\_100 | `string` | `"PriceClass_All"` | no |
 | <a name="input_ecs_cpu"></a> [ecs\_cpu](#input\_ecs\_cpu) | The CPU limit password to the Wordpress container definition. | `number` | `256` | no |
 | <a name="input_ecs_memory"></a> [ecs\_memory](#input\_ecs\_memory) | The memory limit password to the Wordpress container definition. | `number` | `512` | no |
+| <a name="input_graviton_codebuild_enabled"></a> [graviton\_codebuild\_enabled](#input\_graviton\_codebuild\_enabled) | Flag that controls whether CodeBuild should use Graviton-based build agents in [supported regions](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html). | `bool` | `false` | no |
+| <a name="input_graviton_fargate_enabled"></a> [graviton\_fargate\_enabled](#input\_graviton\_fargate\_enabled) | Flag that controls whether ECS Fargate should use Graviton-based containers in [supported regions]https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate-Regions.html). | `bool` | `false` | no |
 | <a name="input_hosted_zone_id"></a> [hosted\_zone\_id](#input\_hosted\_zone\_id) | The Route53 HostedZone ID to use to create records in. | `string` | n/a | yes |
 | <a name="input_launch"></a> [launch](#input\_launch) | The number of tasks to launch of the Wordpress container. Used as a toggle to start/stop your Wordpress management session. | `number` | `"0"` | no |
 | <a name="input_main_vpc_id"></a> [main\_vpc\_id](#input\_main\_vpc\_id) | The VPC ID into which to launch resources. | `string` | n/a | yes |
@@ -265,8 +270,8 @@ For any issues relating to this module, [raise an issue against this repo.](http
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.1.0 |
 ## Resources
 
@@ -279,6 +284,7 @@ For any issues relating to this module, [raise an issue against this repo.](http
 | [aws_db_subnet_group.main_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
 | [aws_ecr_repository.serverless_wordpress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
 | [aws_ecs_cluster.wordpress_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource |
+| [aws_ecs_cluster_capacity_providers.wordpress_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster_capacity_providers) | resource |
 | [aws_ecs_service.wordpress_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource |
 | [aws_ecs_task_definition.wordpress_container](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
 | [aws_efs_access_point.wordpress_efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_access_point) | resource |
@@ -307,4 +313,5 @@ For any issues relating to this module, [raise an issue against this repo.](http
 | [random_password.serverless_wordpress_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [aws_iam_policy_document.ecs_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.wordpress_bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 <!-- END_TF_DOCS -->

docs/UPGRADING.md

@@ -0,0 +1,36 @@
+## Upgrading from 0.1.x to 0.2.x
+
+Version 0.2 of Serverless Static Wordpress makes numerous updates to the resources used to deploy the solution, as well
+as expanding functionality with additional options.
+
+Where possible, this has been done in a way to be as backwards compatible as reasonably possible - however there are a
+variety of quirks of Terraform behaviour that can mean that this is imperfect, and may require a manual tweak either to
+the configuration in AWS, or to the Terraform state backing the resources.
+
+### Upgrading to Version 4 of the Terraform AWS Provider
+Version 4 of the AWS Provider introduced a few breaking changes to the way ECS and S3 resources are defined. Attributes
+that would normally be specified as part of the single resource definition have now been split out into their own
+resources. To cope with this, we have created these resources, and _existing_ resources can be handled with some
+terraform state operations. To date, these are documented as follows.
+
+NOTE, in these examples, the example `site_name` is `peterdotcloud` and the resources are named accordingly. You will
+need to substitute these values with the value used for your own deployment
+
+```
+terraform import module.peterdotcloud_website.aws_ecs_cluster_capacity_providers.wordpress_cluster peterdotcloud_wordpress
+terraform state rm module.peterdotcloud_website.module.codebuild.aws_s3_bucket_object.wordpress_dockerbuild
+terraform import module.peterdotcloud_website.module.codebuild.aws_s3_object.wordpress_dockerbuild peterdotcloud-build/wordpress_docker.zip
+terraform import module.peterdotcloud_website.module.cloudfront.aws_s3_bucket_server_side_encryption_configuration.wordpress_bucket www.peter.cloud
+terraform import module.peterdotcloud_website.module.codebuild.aws_s3_bucket_acl.code_source peterdotcloud-build
+terraform import module.peterdotcloud_website.module.codebuild.aws_s3_bucket_server_side_encryption_configuration.code_source peterdotcloud-build
+```
+### Graviton
+
+With support for ARM in CodeBuild, and in ECS in regions where it is supported (strictly better for cost/performance),
+the module will need to recreate your task definition and ECS service. This is nothing to be concerned with however you
+ **must** ensure your base image of Wordpress is an arm64 platform version (and preferably linux/arm64/v8) otherwise
+ your Wordpress container will error out with `exec user process caused: exec format error` which indicates your image
+ is of the mismatched architecture.
+
+ Note that when using Graviton-based containers for ECS, FARGATE_SPOT is not currently available (bear this in mind for
+ cost).

ecs.tf

@@ -1,3 +1,5 @@
+data "aws_region" "current" {}
+
 resource "aws_efs_file_system" "wordpress_persistent" {
   encrypted = true
   lifecycle_policy {
@@ -123,6 +125,11 @@ resource "aws_ecs_task_definition" "wordpress_container" {
     site_name                = var.site_name
   })
 
+  runtime_platform {
+    operating_system_family = "LINUX"
+    cpu_architecture        = var.graviton_fargate_enabled ? (contains(local.graviton_fargate_regions_unsupported, data.aws_region.current) ? "X86_64" : "ARM64") : "X86_64"
+  }
+
   cpu                      = var.ecs_cpu
   memory                   = var.ecs_memory
   requires_compatibilities = ["FARGATE"]
@@ -218,7 +225,7 @@ resource "aws_ecs_service" "wordpress_service" {
   desired_count   = var.launch
   # iam_role =
   capacity_provider_strategy {
-    capacity_provider = "FARGATE_SPOT"
+    capacity_provider = var.graviton_fargate_enabled ? (contains(local.graviton_fargate_regions_unsupported, data.aws_region.current) ? "FARGATE_SPOT" : "FARGATE") : "FARGATE"
     weight            = "100"
     base              = "1"
   }
@@ -236,10 +243,14 @@ resource "aws_ecs_service" "wordpress_service" {
 # TODO: Add option to enable container insights
 #tfsec:ignore:AWS090
 resource "aws_ecs_cluster" "wordpress_cluster" {
-  name               = "${var.site_name}_wordpress"
-  capacity_providers = ["FARGATE_SPOT"]
+  name = "${var.site_name}_wordpress"
+}
+
+resource "aws_ecs_cluster_capacity_providers" "wordpress_cluster" {
+  cluster_name       = aws_ecs_cluster.wordpress_cluster.name
+  capacity_providers = [var.graviton_fargate_enabled ? (contains(local.graviton_fargate_regions_unsupported, data.aws_region.current) ? "FARGATE_SPOT" : "FARGATE") : "FARGATE"]
   default_capacity_provider_strategy {
-    capacity_provider = "FARGATE_SPOT"
+    capacity_provider = var.graviton_fargate_enabled ? (contains(local.graviton_fargate_regions_unsupported, data.aws_region.current) ? "FARGATE_SPOT" : "FARGATE") : "FARGATE"
     weight            = "100"
     base              = "1"
   }

main.tf

@@ -7,14 +7,15 @@ module "lambda_slack" {
 }
 
 module "codebuild" {
-  source                   = "./modules/codebuild"
-  site_name                = var.site_name
-  site_domain              = var.site_domain
-  codebuild_bucket         = "${var.site_name}-build"
-  main_vpc_id              = var.main_vpc_id
-  wordpress_ecr_repository = aws_ecr_repository.serverless_wordpress.name
-  aws_account_id           = var.aws_account_id
-  container_memory         = var.ecs_memory
+  source                     = "./modules/codebuild"
+  graviton_codebuild_enabled = var.graviton_codebuild_enabled
+  site_name                  = var.site_name
+  site_domain                = var.site_domain
+  codebuild_bucket           = "${var.site_name}-build"
+  main_vpc_id                = var.main_vpc_id
+  wordpress_ecr_repository   = aws_ecr_repository.serverless_wordpress.name
+  aws_account_id             = var.aws_account_id
+  container_memory           = var.ecs_memory
 }
 
 module "cloudfront" {

modules/cloudfront/README.md

@@ -44,6 +44,7 @@ No requirements.
 | [aws_s3_bucket.wordpress_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_policy.wordpress_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.wordpress_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.wordpress_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [archive_file.index_html](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
 | [aws_iam_policy_document.lambda-edge-cloudwatch-logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lambda-edge-service-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

modules/cloudfront/distribution.tf

@@ -1,14 +1,16 @@
 # TODO: Add optional logging for S3 bucket
 # TODO: Add optional versioning for S3 bucket
-#tfsec:ignore:AWS002 #tfsec:ignore:AWS077
+#tfsec:ignore:AWS002 #tfsec:ignore:AWS017 #tfsec:ignore:AWS077
 resource "aws_s3_bucket" "wordpress_bucket" {
   bucket        = "${var.site_prefix}.${var.site_domain}"
   force_destroy = true
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "AES256"
-      }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "wordpress_bucket" {
+  bucket = aws_s3_bucket.wordpress_bucket.bucket
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
     }
   }
 }